Bug 1840579

Summary: Provide a way to exclude GPFS file systems from being scanned
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: openscapAssignee: Jan Černý <jcerny>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: medium    
Version: 8.2CC: dapospis, ekolesni, jafiala, matyc, mhaicman, mmarhefk
Target Milestone: rcKeywords: Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openscap-1.3.4-5.el8 Doc Type: Bug Fix
Doc Text:
.OVAL checks consider GPFS as remote Previously, the OpenSCAP scanner did not identify mounted General Parallel File Systems (GPFS) as remote file systems (FS). As a consequence, OpenSCAP scanned GPFS even for OVAL checks that applied only to local systems. This sometimes caused the scanner to run out of resources and fail to complete the scan. With this update, GPFS has been included in the list of remote FS. As a result, OVAL checks correctly consider GPFS as a remote FS, and the scans are faster.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:29:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1894575    

Description Renaud Métrich 2020-05-27 09:14:16 UTC 
Description of problem:

This is a continuation of BZ #1840578 and BZ #1694962.

As of today, GPFS file systems are not considered as remote file systems, which cause some oscap rules to recurse in such file systems, causing various issues:
- slowness of the scan
- high memory usage

There should be a convenient way to exclude such file systems automatically or administratively through some configuration file.
Customers cannot rely on the workaround described in KCS https://access.redhat.com/solutions/4193501.

For example, if the proposed solution in BZ #1840578 is implemented, this could be easily implemented through specifying "InaccessibleDirectories" systemd property.


Version-Release number of selected component (if applicable):

openscap-scanner-1.2.17-9.el7.x86_64 and later
Comment 1 Jan Černý 2020-06-30 13:59:35 UTC 
We have discussed this internally.

We would like to change the OpenSCAP so that it recognizes GPFS as a remote system. GPFS volumes would be skipped in all rules where the OVAL object definition uses `recurse_file_system` attribute set to `local`. In similar way, we already skip NFS, SMB and other network file systems in these rules.  This solution means that to exclude the remote file systems and GPFS it requires changes on content side: all the rules must use this `recurse_file_system` attribute.

However, we don't want to provide a command line option that excludes specific paths because that would mean the option would override the instructions in SCAP content. We think that it would mean the scanner would behave differently from the specification.
Comment 3 Jan Černý 2020-09-25 13:42:13 UTC 
https://github.com/OpenSCAP/openscap/commit/1541487788a7ffeae0f9ba3ecd4bf7c2a181ef5d
Comment 26 errata-xmlrpc 2021-05-18 15:29:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openscap bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:1784